How a Reddit Email Vulnerability Led to Thousands in Stolen Bitcoin Cash

Beginning over two weeks ago, reports have trickled in on Reddit community “r/btc”—the de facto hub for supporters of bitcoin rival bitcoin cash (BCH)—of accounts being compromised by a new and worrying attack vector. What may have read to sceptics as infighting between two contentious factions was confirmed today as a genuine and novel hack that allowed malicious parties to access their targets’ Reddit accounts. And it seems the attackers exploited the vulnerability to steal thousands of dollars in BCH.

Image: Gizmodo

The first of this rash of attacks compromised the account of an r/btc moderator on December 20th. Administrative privileges from the hacked account were used to, among other things, reconfigure the r/btc subreddit so it pointed to its rival, r/bitcoin. As over half a dozen more reports of compromised accounts popped up on r/btc over the next two weeks, details emerged as to how the hacks were accomplished.

As user Jessquit summarised on December 31st:

[M]y account was just hacked a few hours ago and the password changed [...] The attacker was able to change my password by sending a password recovery email then clicking the link in the email to reset the password, even though I have activated [two-factor authentication] on my Reddit account, and my email was not compromised. This is a very dangerous turn of events.

The exploit allowed hackers to request a password reset for a target account and then click the generated link without opening the email it had been sent in. How was this possible? Theories circulated, buoyed by posts on Hacker Noon and The Next Web. It was the r/bitcoin users out to cause trouble; or was it a Reddit admin gone rogue?

But this attack had incentive beyond ideology. What made the users of r/btc such a rich target was the deployment of a bot account called Tippr, which was used, among other things, to reward a particularly funny or insightful comment. By tagging someone and designating an amount, Tippr withdrew some BCH from your hotwallet and allocated it to the recipient. Given that Tippr is active on both Reddit and Twitter (where it provides its donation service for such heavyweights as the Tor Project), there was easy money to be had.

At least Rob Danielson, the creator of Tippr, seems to believe the most likely culprit is “someone [who] realised they had an opportunity to make some quick money.” He told Gizmodo over Twitter DM that the attackers made off with “somewhere between $2k-$4k worth of BCH” by using the hacked accounts to request withdrawals from Tippr through Reddit private message.

This isn’t the first time a tipping bot on Reddit has resulted in lost funds. Eight months ago, the dogecoin community was stunned by an unapologetic post from the creator of dogetipbot where they detailed having stolen the entire donation pot to fund their failing business. The Tippr incident bears some passing similarity—and bred the usual conspiracy theories—though Danielson took immediate action to prevent further breaches. “After finding out about it, I disabled Tippr’s Reddit functionality,” he wrote.

Reddit’s response came this morning from engineer u/gooeyblob, confirming the bug but thankfully no one’s worst suspicions. The weak link was identified as Mailgun—a third-party service Reddit uses to send automated emails. In total, Reddit estimates the number of compromised accounts was “less than twenty”:

A malicious actor targeted Mailgun and gained access to Reddit’s password reset emails. The nature of the exploit meant that an unauthorised person was able to access the contents of the reset email. This individual did not have access to either Reddit’s systems or to a redditor’s email account. As an immediate precautionary measure, we moved reset emails to an in-house mail server.

Mailgun’s own post confirms the attack vector, and claims “customer payment information was not compromised.” According to Mailgun “we believe less than 1% of our customer base was potentially affected.”

Although Reddit and Mailgun claim this specific issue has been resolved, we suggest turning two-factor authentication on for Reddit, email, and anything else sensitive you use online.

Who is responsible and where those stolen BCH ended up? For now, it remains a mystery.